Analysis
-
max time kernel
149s -
max time network
153s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
-
submitted
20-01-2025 22:08
General
-
Target
73468c18b78b0ec4d7a1e3e0e6cebae2710e46ac6680fb78e9099a93bbd601fa.apk
-
Size
2.3MB
-
MD5
e4c15a6451bbb6a0c862961b831f5772
-
SHA1
e56047386dd6794b6ae36575c8e15c9ca3214333
-
SHA256
73468c18b78b0ec4d7a1e3e0e6cebae2710e46ac6680fb78e9099a93bbd601fa
-
SHA512
67f66e52cee97293cf8d832f7c1b28a1aa2ce36b16cf51d050e52a2ef0b534c320e61ee215fa3ba153a317e4a886d1aae38e820b5c5af8c228569d2874f94c40
-
SSDEEP
49152:4SvhEo+JpdCGKbmxAdb5wfMx4+ga99w47xpEz304tkA4/rr9M9GMH3YKE6:4SvGb8vmx6afi4Ky4gLtkA4u9GMoKd
Malware Config
Extracted
octo
https://yenisafakhaberler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmansetler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgunluk.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksondakika.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyazarlar.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgundem.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakekonomi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakspor.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakdunya.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmagazin.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksaglik.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksiyaset.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilisim.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyerel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakaktuel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilgi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakvizyon.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakteknoloji.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakkultur.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakinsan.xyz/Y2U1NjM1NzFkZTlk/
Extracted
octo
https://yenisafakhaberler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmansetler.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgunluk.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksondakika.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyazarlar.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakgundem.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakekonomi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakspor.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakdunya.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakmagazin.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksaglik.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafaksiyaset.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilisim.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakyerel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakaktuel.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakbilgi.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakvizyon.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakteknoloji.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakkultur.xyz/Y2U1NjM1NzFkZTlk/
https://yenisafakinsan.xyz/Y2U1NjM1NzFkZTlk/
Signatures
-
Octo
Octo is a banking malware with remote access capabilities first seen in April 2022.
-
Octo family
-
Octo payload 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
-
Reads information about phone network operator. 1 TTPs
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests modifying system settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.techvision.smartsapp1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests modifying system settings.
- Uses Crypto APIs (Might try to encrypt user data)
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Network Configuration Discovery
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD589a25de81cc4c08f4cf78e682e231307
SHA1791c9ebdf4697df736a54c07d032b1ecb01bd65b
SHA25609437bd800a71e27239ad4e6e0c9ea21a1faa8e37edd9b2a984ec7e7f891274f
SHA512239a49411776d028f1a6a43f6feb7df4a2d21a4120cfd3e7770c45945d1158d19f5a8bf9a7da5904486c371f203ee413139863810439670fdbdb0b6240df7102
-
Filesize
153KB
MD5dac352ce14dd5e8a8ca7e1f54e602b59
SHA1e3dce8f646304cdd4fee39a7621320943b66b058
SHA2562cbeba8109bf27c0c4d76a17ce843ee1c654d5604271f70da0a4e70ed447339f
SHA512731d9e3ecc7078523df7b7078547515d93f87d19f1a618e41cb067f01200f9b0cd0251baf635e9e67c0a88518e487dcc2f399bc6e93b1111bd8d4df12bff8bb2
-
Filesize
450KB
MD5fd73e2c351057b206df49a84b2a4bb42
SHA1a5b3ba88bbb1c7278f9a6fe8d2d4376b606809c4
SHA256aded517d22613e0dc8ad3c8239027623aadb134c51ca9a5a303abb1f4723b0d2
SHA512a1aad9e3fae4bd2c316361cbc147129b447c586f4ad184171f7bc18c242df3a467b29a4faf24155cfcf707191c403f2625aa8e057abd7bdace084f53e01c138e